b'      Department of Homeland Security\n\n\n            Information Technology Management\n             Letter for the Transportation Security\n              Administration Component of the\n            FY 2011 DHS Financial Statement Audit\n\n\n\n\nOIG-12-47                                         March 2012\n\x0c                                                                    Office of Inspector General\n\n                                                                    U.S. Depar tment of Homeland\n                                                                    Security\n                                                                    Washington, DC 20528\n\n\n\n\n                                       March 9, 2012\n\n                                           Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency,\nand effectiveness within the Department.\n\nThis report presents the information technology (IT) management letter for the\nTransportation Security Administration (TSA) component of the fiscal year (FY) 2011\nDHS consolidated financial statement audit as of September 30, 2011. It contains\nobservations and recommendations related to information technology internal control\nweaknesses that were summarized in the Independent Auditors\xe2\x80\x99 Report dated November 11,\n2011 and presents the separate restricted distribution report mentioned in that report. The\nindependent accounting firm KPMG LLP (KPMG) performed the audit procedures at the\nTSA component in support of the DHS FY 2011 consolidated financial statement audit and\nprepared this IT management letter. KPMG is responsible for the attached IT management\nletter and the conclusions expressed in it. We do not express opinions on DHS\xe2\x80\x99 financial\nstatements or internal control or conclusion on compliance with laws and regulations.\n\x03\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed with those responsible for implementation. We trust that\nthis report will result in more effective, efficient, and economical operations. We express\nour appreciation to all of those who contributed to the preparation of this report.\n\n\x03\n\x03\n                                      Frank Deffer\n                                      Assistant Inspector General\n                                      Office of Information Technology\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\nFebruary 16, 2012\n\nActing Inspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nTransportation Security Administration\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2011 and the related statement of custodial activity for the year\nthen ended (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2011 financial statements\xe2\x80\x9d). The objective\nof our audit was to express an opinion on the fair presentation of these financial statements. We\nwere also engaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the\nbalance sheet as of September 30, 2011, and statement of custodial activity for the year then\nended, based on the criteria established in Office of Management and Budget, Circular No. A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control, Appendix A. In connection with our audit, we\nalso considered DHS\xe2\x80\x99 compliance with certain provisions of applicable laws, regulations,\ncontracts, and grant agreements that could have a direct and material effect on the FY 2011\nfinancial statements.\nOur Independent Auditors\xe2\x80\x99 Report issued on November 11, 2011, describes a limitation on the\nscope of our audit that prevented us from performing all procedures necessary to express an\nunqualified opinion on DHS\xe2\x80\x99 FY 2011 financial statements and internal control over financial\nreporting. In addition, the FY 2011 DHS Secretary\xe2\x80\x99s Assurance Statement states that the\nDepartment was unable to provide assurance that internal control over financial reporting was\noperating effectively at September 30, 2011.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to\nmerit attention by those charged with governance. In accordance with Government Auditing\nStandards, our Independent Auditors\xe2\x80\x99 Report, dated November 11, 2011, included internal control\ndeficiencies identified during our audit, that individually, or in aggregate, represented a material\nweakness or a significant deficiency. This letter represents the separate limited distribution report\nmentioned in that report.\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, security management, contingency planning, and segregation of duties with respect to\nDHS\xe2\x80\x99 financial systems general Information Technology (IT) controls which we believe contribute\nto a DHS-level significant deficiency that is considered a material weakness in IT controls and\nfinancial system functionality. We also noted that in some cases, financial system functionality is\ninhibiting DHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications\ncontrols supporting financial data processing and reporting. These matters are described in the\nGeneral IT Control Findings and Recommendations section of this letter.\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cAlthough not considered to be a material weakness, we also noted certain other items during our\naudit engagement which we would like to bring to your attention. These matters are also described\nin the General IT Control Findings and Recommendations section of this letter.\nThe material weakness and other comments described herein have been discussed with the\nappropriate members of management, or communicated through a Notice of Finding and\nRecommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of\nDHS\xe2\x80\x99 organization gained during our audit engagement to make comments and suggestions that we\nhope will be useful to you. We have not considered internal control since the date of our\nIndependent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key DHS financial systems within the scope of the FY 2011 DHS financial statement\naudit engagement in Appendix A; a description of each internal control finding in Appendix B; and\nthe current status of the prior year NFRs in Appendix C. Our comments related to financial\nmanagement and reporting internal controls (comments not related to IT) have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General (OIG), U.S. Office of Management and Budget (OMB), U.S. Government\nAccountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                                     Department of Homeland Security\n\n                                  Transportation Security Administration\n\n                                 Information Technology Management Letter\n                                            September 30, 2011\n\n                   INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n\n                                          TABLE OF CONTENTS\n\n\n                                                                                                     Page\n Objective, Scope, and Approach                                                                        1\n\n Summary of Findings and Recommendations                                                                  2\n\n General IT Control Findings and Recommendations                                                          3\n\n Related to IT Controls                                                                                   3\n\n       Configuration Management                                                                           3\n\n       Access Control                                                                                     3\n\n       Security Management                                                                                4\n\n           After-Hours Physical Security Testing                                                          4\n\n           Social Engineering Testing                                                                     4\n\n Related to Financial System Functionality                                                                5\n\n Application Controls                                                                                     7\n\n\n                                               APPENDICES\nAppendix                                          Subject                                           Page\n   A       Description of Key TSA Financial Systems within the Scope of the FY 2011 DHS Financial    8\n           Statement Audit\n\n   B       FY 2011 Notices of IT Findings and Recommendations at TSA                                 10\n\n               \xe2\x80\xa2   Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings           11\n\n   C       Status of Prior Year Notices of Findings and Recommendations and Comparison to Current    13\n           Year Notices of Findings and Recommendations at TSA\n   D       Report Distribution                                                                       15\n\n\n\n\n    Information Technology Management Letter for the Transportation Security Administration \n\n                   Component of the FY 2011 DHS Financial Statement Audit\n\n\x0c                                 Department of Homeland Security\n\n                              Transportation Security Administration\n\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit DHS\xe2\x80\x99 balance sheet as of September 30, 2011, and the related\nstatement of custodial activity for the year then ended, we performed an evaluation of general information\ntechnology controls (GITC) at TSA, to assist in planning and performing our audit. The U.S. Coast\nGuard\xe2\x80\x99s (Coast Guard) Finance Center (FINCEN) hosts key financial applications for TSA. As such, our\naudit procedures over GITC for TSA included testing of the Coast Guard\xe2\x80\x99s FINCEN policies, procedures,\nand practices, as well as TSA policies, procedures and practices at TSA Headquarters. The Federal\nInformation System Controls Audit Manual (FISCAM), issued by the GAO, formed the basis of our GITC\nevaluation procedures. The scope of the GITC evaluation is further described in Appendix A.\n\nThe FISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of\nreview that generally should be performed when evaluating general controls and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of the general IT controls environment.\n\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\n\xe2\x80\xa2\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed both over the Internet and\nfrom within select Coast Guard facilities, and focused on test, development, and production devices that\ndirectly support TSA\xe2\x80\x99s financial processing and key general support systems.\n\nIn addition to GITC testing, application controls were tested for the year ending September 30, 2011,\nwhich were identified as key controls by the financial audit team.\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 1\n\n\x0c                                 Department of Homeland Security\n\n                              Transportation Security Administration\n\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2011, TSA took corrective action to address prior year IT control deficiencies. For example,\nTSA made improvements in its own policies and procedures over its recertification of the user accounts\nprocess. During FY 2011, we continued to identify IT general control deficiencies that impact TSA\xe2\x80\x99s\nfinancial data. The key issue from a financial statement audit perspective related to controls over the\ndevelopment, implementation, and tracking of scripts at Coast Guard\xe2\x80\x99s FINCEN. Collectively, these\ndeficiencies negatively impacted the internal controls over TSA\xe2\x80\x99s financial reporting and its operation,\nand we consider them to contribute to a material weakness at the Department level under standards\nestablished by the American Institute of Certified Public Accountants. In addition, based upon the results\nof our test work, we noted that TSA did not fully comply with the Department\xe2\x80\x99s requirements of the\nFederal Financial Management Improvement Act (FFMIA).\nOf the six findings issued during our TSA FY 2011 testing, four were repeat findings, and two were new\nIT findings. These findings represent deficiencies in three of the five FISCAM key control areas.\nSpecifically the deficiencies were: 1) unverified access controls through the lack of comprehensive user\naccess privilege re-certifications, 2) access control issues involving password complexity settings, 3) use\nof generic \xe2\x80\x98admin\xe2\x80\x99 user id and password, 4) security management issues involving the new employee\nprocess, and 5) physical security and security awareness issues.\nIn addition, we determined that the following deficiencies identified at the Coast Guard IT environment\nalso impact TSA financial data: 1) inadequately designed and operating IT script change control policies\nand procedures, 2) security management issues involving civilian and contractor background\ninvestigations, 3) lack of consistent contractor, civilian, and military system account termination\nnotification processes, 4) physical security and security awareness issues, and 5) procedures for role-\nbased training for individuals with elevated responsibilities is not fully implemented. We also\nconsidered the effects of financial systems functionality when testing internal controls since key Coast\nGuard financial systems that house TSA financial data are not compliant with FFMIA and are no longer\nsupported by the original software provider. Financial system functionality limitations add to the\nchallenge of addressing systemic internal control deficiencies, and strengthening the control environment\nat FINCEN.\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and TSA financial data could be exploited thereby compromising the integrity of financial data\nused by management and reported in TSA\xe2\x80\x99s financial statements.\nWhile the recommendations made by us should be considered by TSA, it is the ultimate responsibility of\nTSA management to determine the most appropriate method(s) for addressing the deficiencies identified\nbased on their system capabilities and available resources.\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 2\n\n\x0c                                  Department of Homeland Security\n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2011\n\n            GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nDuring the FY 2011 DHS Financial Statement Audit, we identified the following TSA IT and financial\nsystem control deficiencies that in the aggregate are considered management letter comments. Our\nfindings are divided into two groupings: 1) financial systems controls, and 2) IT system functionality.\nRelated to IT Controls:\nConfiguration Management\nThe Coast Guard\xe2\x80\x99s core financial system configuration management process controls are not operating\neffectively, and continue to present risks to TSA financial data confidentiality, integrity, and availability.\nFinancial data in the general ledger may be compromised by automated and manual changes that are not\nadequately controlled. For example, the Coast Guard uses an IT scripting process to make updates, as\nnecessary, to its core general ledger software to process financial data. We noted that some previously\nnoted weaknesses were remediated, while other control deficiencies continued to exist. The remaining\ncontrol deficiencies that were present throughout FY 2011 vary in significance; however four key areas\nthat impact the Coast Guard Script control environment are: 1) Script Testing Requirements, 2) Script\nAudit Logging, 3) Script Approvals and Recertifications, and 4) Script Record Documentation Review.\n\xe2\x80\xa2\t Script Testing Requirements: There are no detailed requirements over the review and testing of\n   functional changes to the data including functional test plans.\n\xe2\x80\xa2\t Script Audit Logging: Controls over audit logs in the production databases are not consistently\n   implemented to log privilege user actions and scripts run. A review was implemented in May 2011 to\n   reconcile between the scripts run in the production databases and the changes made to the database\n   tables. However, this review only occurred one day a month which only consisted of 5% of scripts\n   run a month.\n\xe2\x80\xa2\t Script Approvals and Recertifications: Dimensions (automates the process for executing scripts into\n   the CAS suite database) users were not being reviewed and Mashups listings were not completed as\n   they did not include the script runners and system administrators for Dimensions. Additionally,\n   documentation retained in support of the reviews was not adequately completed per FINCEN policy\n   throughout the year.\n\xe2\x80\xa2\t Script Record Documentation Review: Fields in the Mashups tool (automated approval workflow\n   which enforces rules defined in the system from approvals and will retain all the records within the\n   online database for audit purposes) are not always accurately recorded and no final review is\n   performed to ensure that they are accurate. Additionally, there are certain fields that should reconcile,\n   and any discrepancies are not always consistently documented and explained.\n\nIn addition, we noted weaknesses in the script change management process at the USCG as it relates to\nthe Internal Control over Financial Reporting process (e.g., the financial statement impact of the changes\nto FINCEN core accounting system through the script change management process).\nAccess Control\n\xe2\x80\xa2\t Access review procedures for key financial applications do not include the review of all user accounts\n   to ensure that all terminated individuals no longer have active accounts; inactive accounts are locked;\n   and privileges associated with each individual are still authorized and necessary.\n\n\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 3\n\n\x0c                                  Department of Homeland Security\n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2011\n\n\xe2\x80\xa2\t Password settings for one key financial application were not configured to enforce DHS/CG\n   password length or complexity.\n\xe2\x80\xa2\t Administrative access to one key financial application is granted to members of the Database\n   Administration (DBA) team through the use of a generic user ID and shared password.\nSecurity Management\n\xe2\x80\xa2\t The computer access agreement for TSA employees is not being completed; and\n\xe2\x80\xa2\t During our after-hours physical security and social engineering testing we identified exceptions in the\n   protection of sensitive user account information. The tables below detail the exceptions identified at\n   the locations tested.\n\nAfter-Hours Physical Security Testing:\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects include physical access to media and equipment that\nhouses financial data and information residing on a TSA employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which could be\nused by others to gain unauthorized access to systems housing financial information. The testing was\nperformed at TSA Headquarters.\n\n\n                 Exceptions Noted                               Total Exceptions at TSA\n                                                                      HQ by Type\n                 Unsecured Laptop                                          4\n                 PII                                                       3\n                 DHS/TSA Badge                                             1\n                 Keys that unlocked laptops                                2\n                 Total Exceptions at TSA HQ                               10\n\n\nSocial Engineering Testing:\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to trickery or deception for the purpose of\ninformation gathering, or gaining computer system access.\n\n\n          Total           Total Answered          Number of employees who provided\n          Called                                     their user ID and password\n\n            40                   20                                  4\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 4\n\n\x0c                                 Department of Homeland Security\n\n                              Transportation Security Administration\n\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n\nRelated to Financial System Functionality:\nWe noted that financial system functionality limitations are contributing to control deficiencies reported\nelsewhere in Exhibit I in the Independent Auditor\xe2\x80\x99s Report, dated November 11, 2011, and inhibiting\nprogress on corrective actions impacting TSA. These functionality limitations are preventing the TSA\nfrom improving the efficiency and reliability of its financial reporting processes. Some of the financial\nsystem limitations lead to extensive manual and redundant procedures to process transactions, verify\naccuracy of data, and to prepare financial statements. Systemic conditions related to financial system\nfunctionality include:\n\xe2\x80\xa2\t As noted above, Coast Guard\xe2\x80\x99s core financial system configuration management process is not\n   operating effectively due to inadequate controls over the IT script process. The IT script process was\n   instituted as a solution primarily to compensate for system functionality and data quality issues;\n\n\xe2\x80\xa2\t For one financial system that was configured by the vendor, Coast Guard and TSA do not have the\n   ability to modify the vendor established password settings;\n\xe2\x80\xa2\t Production versions of operational financial systems are outdated, no longer supported by the vendor,\n   and do not provide the necessary core functional capabilities (e.g., general ledger capabilities); and\n\xe2\x80\xa2\t Issues with current technology are preventing TSA management from reviewing account\n   recertification reports timely.\n\nRecommendations: We recommend that TSA:\n\xe2\x80\xa2\t Work with the DHS Chief Financial Officer (CFO), DHS Chief Information Officer (CIO), and the\n   Coast Guard CFO and CIO to ensure the following planned corrective actions take place in a timely\n   manner:\n      Continue to update the procedures, tools, and associated training to better address script record\n      documentation reviews and provide training to impacted staff.\n      Continue to improve and better document the script audit logging processes and associated\n      technical implementations in compliance with Coast Guard software development lifecycle\n      (SDLC) and CM policies and procedures.\n      Continue to improve and better document script approvals; define and implement script\n      management and execution tool user access/account recertification procedures; and update\n      associated training and provide that training to impacted staff.\n      Continue to improve and better document script testing requirements and associated technical\n      implementations and test environments in compliance with Coast Guard SDLC and CM policies\n      and procedures.\n      Continue to improve the script change management process and other associated internal controls\n      as these relate to the financial statement impact of the changes to the Core Accounting System\n      (CAS) Suite financial databases.\n    \t Continue to implement policy regarding approval of scripts that impact financial statements.\n\n\xe2\x80\xa2\t Office of Property Management Systems should closely monitor and follow-up with Deputy Property\n   management Officials to ensure requests are implemented timely for Sunflower.\n\n\xe2\x80\xa2\t As part of the ongoing efforts to strengthen internal controls over access to TSA financial systems, in\n   the second quarter of FY 2011, the Financial Systems Branch added an additional level of quality\n\n\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 5\n\n\x0c                                 Department of Homeland Security\n\n                              Transportation Security Administration\n\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n   assurance (QA) review to the quarter review process. The QA step will help minimize human errors\n   in regards to Markview.\n\n\xe2\x80\xa2\t Monitor FINCEN on the status of the Markview developer to incorporate the ability to provide for\n   stronger password controls in the Markview system as required by the DHS Sensitivity System Policy\n   Directive 4300A.\n       By early September 2011, the Markview developer should complete an analysis of the level of\n       effort involved to update the product to be in compliance with IT security requirements, i.e.,\n       password to be 8 characters in length; contain a combination of alpha, numeric, and special\n       characters; not be the same as previous 8 password; stored in the encrypted form; account locked\n       after 3 failed login attempts; initial login prompts users to change initial password; and passwords\n       changed every 90 days.\n       TSA should work with FINCEN to develop a schedule to test and implement these changes after\n       the vendor has delivered the new version that incorporates the compliant password controls.\n\n\xe2\x80\xa2\t Implement an automated e mail notification process so that all new Markview users are reminded of\n   the requirements of adhering to strong password controls as identified in the DHS 4300A Sensitivity\n   Policy.\n\n\xe2\x80\xa2\t Establish a procedure to change the ADMIN password every 90 days as required by the DHS\n   Sensitivity System Policy Directive 4300A. This will minimize the risk of unauthorized access to the\n   Markview system.\n\n\xe2\x80\xa2\t Implement a unique user id and password for all DBAs as required by the DHS Sensitivity System\n   Policy Directive 4300A. Establishing a unique user account that will create accountability and system\n   changes will be easily identifiable and traced to an individual DBA.\n\n\xe2\x80\xa2\t Convert the manual process of keeping hardcopies of the computer access agreement (CAA) to an\n   electronic and computer-based process where employees will be instructed to review the CAA online\n   via TSA\xe2\x80\x99s Online Learning Center.\n\n\xe2\x80\xa2\t Update the policy on the CAA to coincide with this process, so that temporary access to a TSA\n   computer is permitted, making completing the CAA online possible, ensuring compliance with policy\n   and ease of reviewing and maintaining this form.\n\n\xe2\x80\xa2\t Continue to execute the IT Security Awareness Training Program.\n\n\xe2\x80\xa2\t Conduct internal physical security walkthroughs on a semi-annual basis.\n\n\xe2\x80\xa2\t Conduct internal social engineering testing on a quarterly basis.\n\n\xe2\x80\xa2\t Conduct a one-on-one training with individuals failing physical security after-hours testing and social\n   engineering attempts.\n\n\xe2\x80\xa2\t Take administrative actions, if needed, on a case-by-case basis.\n\n\xe2\x80\xa2\t Conduct a communications campaign to address the effects of improper handling of physical security,\n   and\n\n\xe2\x80\xa2\t Conduct a communications campaign via broadcasts warning against social engineering.\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 6\n\n\x0c                                Department of Homeland Security\n\n                             Transportation Security Administration\n\n                            Information Technology Management Letter\n                                       September 30, 2011\n\n\n\n\n                                  APPLICATION CONTROLS\n\nApplication controls were tested for the year ending September 30, 2011, and we found no issues.\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration \n\n                  Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 7\n\n\x0c                                                                                     Appendix A\n                               Department of Homeland Security\n\n                            Transportation Security Administration\n\n                           Information Technology Management Letter\n                                      September 30, 2011\n\n\n\n\n                                        Appendix A\n\n Description of Key TSA Financial Systems within the Scope of the FY\n                 2011 DHS Financial Statement Audit\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration Component\n                          of the FY 2011 DHS Financial Statement Audit\n                                             Page 8\n\x0c                                                                                                   Appendix A\n                                    Department of Homeland Security\n\n                                 Transportation Security Administration\n\n                                Information Technology Management Letter\n                                           September 30, 2011\n\n\n\nBelow is a high-level description of significant financial management systems included in the scope of the\nengagement to perform the financial statement audit.\n\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial statements for the\nUnited States Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in Virginia, (VA) and is managed by\nthe United States Coast Guard. The FINCEN is the Coast Guard\xe2\x80\x99s primary financial system data center. CAS\ninterfaces with other systems located at the FINCEN, including Financial and Procurement Desktop (FPD).\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows users to\nenter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS\nsystem and is hosted at the FINCEN in VA and is and managed by the United States Coast Guard.\nSunflower\nSunflower is a customized third party commercial off the shelf product used for TSA and Federal Air Marshals\nproperty management. Sunflower interacts directly with the Office of Finance Fixed Assets module in CAS.\nAdditionally, Sunflower is interconnected to the FPD system and is hosted at the FINCEN in VA and is\nmanaged by the United States Coast Guard.\nMarkView\nMarkView is imaging and workflow software used to manage invoices in CAS. Each invoice is stored\nelectronically and associated to a business transaction so that users are able to see the image of the invoice.\nMarkView is interconnected with the CAS system and is located at the FINCEN in VA and is managed by the\nUnited States Coast Guard.\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration Component\n                          of the FY 2011 DHS Financial Statement Audit\n                                             Page 9\n\x0c                                                                                     Appendix B\n                               Department of Homeland Security\n\n                            Transportation Security Administration\n\n                           Information Technology Management Letter\n                                      September 30, 2011\n\n\n\n\n                                        Appendix B\n\n\n      FY 2011 Notices of IT Findings and Recommendations at TSA\n\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration Component\n                          of the FY 2011 DHS Financial Statement Audit\n                                             Page 10\n\x0c                                                                                                    Appendix B\n                                      Department of Homeland Security\n\n                                   Transportation Security Administration\n\n                                  Information Technology Management Letter\n                                             September 30, 2011\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditors Report.\n\n          1 \xe2\x80\x93 Not substantial \n\n          2 \xe2\x80\x93 Less significant\n\n          3 \xe2\x80\x93 More significant\n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist the DHS in prioritizing the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration Component\n                          of the FY 2011 DHS Financial Statement Audit\n                                             Page 11\n\x0c                                                                                                                        Appendix B\n                                                            Department of Homeland Security\n                                                         Transportation Security Administration\n                                                        Information Technology Management Letter\n                                                                   September 30, 2011\n\n\n\n\nFY 2011 NFR #                           NFR Title                             FISCAM Control Area       2011 Severity   New Issue    Repeat Issue\n                                                                                                           Rating\nTSA-IT-11-01    Markview \xe2\x80\x93 Password Settings                                     Access Controls              2            X\nTSA-IT-11-02    Markview \xe2\x80\x93 Administrator Account                                 Access Controls             2             X\n                Physical Security and Security Awareness Issues Identified       Access Controls\nTSA-IT-11-03                                                                                                 1                            X\n                during Enhanced Security Testing\nTSA-IT-11-04    TSA Computer Access Agreement Process                            Access Controls             1                            X\nTSA-IT-11-05    Sunflower and Markview User Account Recertifications             Access Controls             2                            X\n                Configuration Management Controls Over the Coast Guard       Configuration Management\nTSA-IT-11-06                                                                                                 2                            X\n                Scripting Process\n\n\n\n\n            Information Technology Management Letter for the Transportation Security Administration Component of the FY 2011 DHS \n\n                                                          Financial Statement Audit\n\n                                                                   Page 12\n\n\x0c                                                                               Appendix C\n                           Department of Homeland Security\n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2011\n\n\n\n\n                                   APPENDIX C\n\n Status of Prior Year Notices of Findings and Recommendations \n\n                       and Comparison to\n\n Current Year Notices of Findings and Recommendations at TSA\n\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration\n\n                 Component of the FY 2011 DHS Financial Statement Audit\n\n                                        Page 13\n\n\x0c                                                                                     Appendix C\n                            Department of Homeland Security\n                         Transportation Security Administration\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n                                                                                Disposition\n   NFR #                                Description                         Closed       Repeat\n\n               Physical Security and Security Awareness Issues Identified\nTSA-IT-10-01                                                                                  X\n               during Enhanced Security Testing\nTSA-IT-10-02   CAS, FPD, and Sunflower Access Recertifications                                X\nTSA-IT-10-03   TSA Computer Access Agreement Process                                          X\n               Configuration Management Controls Over the Coast Guard\nTSA-IT-10-04                                                                                  X\n               Scripting Process\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration\n\n                 Component of the FY 2011 DHS Financial Statement Audit\n\n                                        Page 14\n\n\x0c                                                                              Appendix D\n                          Department of Homeland Security\n\n                        Transportation Security Administration\n\n                   Information Technology Management Letter\n                                  September 30, 2011\n\n\n\n                 Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n                 Deputy Secretary\n                 General Counsel\n                 Chief of Staff\n                 Deputy Chief of Staff\n                 Executive Secretariat\n                 Under Secretary, Management\n                 Administrator, TSA\n                 DHS Chief Information Officer\n                 DHS Chief Financial Officer\n                 Chief Financial Officer, TSA\n                 Chief Information Officer, TSA\n                 Chief Information Security Officer\n                 Assistant Secretary for Policy\n                 Assistant Secretary for Public Affairs\n                 Assistant Secretary for Legislative Affairs\n                 DHS GAO/OIG Audit Liaison\n                 Chief Information Officer, Audit Liaison\n                 TSA Audit Liaison\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch\n                 DHS OIG Budget Examiner\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees as\n                 appropriate\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration\n\n                 Component of the FY 2011 DHS Financial Statement Audit\n\n                                        Page 15\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'